Data Privacy Risks On The Rise

Allegations that data analysts may have misused the personal information of up to 87 million Facebook users has propelled the issue of personal data privacy into the limelight, just as the EU applies its tough new regime, the General Data Protection Regulations (GDPR). Sally Swann from risk management and insurance advisers JLT Specialty Limited comments on the growing risk of theft of personal data.

In March 2018, the alleged misuse of Facebook user data by a data analyst firm has raised awareness of the third party data market. While there are many genuine reasons for individuals and organisations to share personal data – such as for medical research – concerns have been growing for the security of such data and how it is being used by third parties.

The monetisation of personal data has seen the emergence of a market to collect, analyse and sell personal data. Data collected by the likes of Facebook and other service providers is commonly used by third parties and organisations to direct advertising and messaging as well as to provide companies with business insights.

In recent years, large data breaches have hit the headlines, but given the allegations against Facebook and the data analyst, the use of personal data is likely to become an area of growing interest for policy makers and regulators in future.

The UK’s Information Commissioner’s Office (ICO), for example, is already investigating 30 organisations (including Facebook) over the use of personal data and analytics by political campaigns, social media companies and other commercial entities. The European Commission also says that it will expand its investigation into the harvesting of personal data, warning that the Facebook case is probably not isolated.

Other companies are believed to have accessed the same data from the online survey app used by Cambridge Analytica. Facebook, for example, has since banned other data analytics firms that it suspects are sharing or selling users data with third parties. In early April it suspended data analytics firm CubeYou, which also ran online quizzes to gather data, as well as Canadian political consultancy AggregateIQ. Facebook also announced that it will shut its partner category service, which uses third party data to inform targeted advertising. The UK’s ICO had been investigating the service, which it says is a “significant area of concern”.

EMERGING RISK

Privacy is likely to become an even more complex and emotive issue as organisations find more and more uses for existing and emergent technologies like biometrics or the Internet of Things. Such technologies may bring benefits for society and efficiencies and opportunities for business, but they will also come with risks.

For example, amid its privacy crisis, Facebook announced that it wants to use facial recognition technology to identify European users in photos and videos. However, the company already faces a class action lawsuit in California that alleges that the company gathered biometric information without users consent.

GDPR

Privacy is also likely to emerge as an increasing area of liability under GDPR, which gives consumers far greater control over their data.

The new rules give EU consumers increased rights over how their personal data is used – for example, an individual can request that their data is deleted under the “right to be forgotten”. GDPR also places more responsibility on organisations to think about how they use and store data – for example, organisations can only collect data where there is a business case to do so.

Given that over two million European Facebook users are affected by the recent privacy issues, GDPR would more than likely have come into play had the incident happened after May 2018. GDPR does not apply retroactively, but commentators have suggested that Facebook theoretically would have faced a USD 1 billion fine under the new rules, where the maximum penalty is up to 4% of a company’s annual global revenue.

This article was originally compiled for the benefit of clients and prospective clients of companies of the JLT group of companies (“JLT”) and published on jlt.com . It is not legal advice and is intended only to highlight general issues relating to its subject matter; it does not necessarily deal with every aspect of the topic. Views and opinions expressed in this document are those of JLT unless specifically stated otherwise. Whilst every effort has been made to ensure the accuracy of the content of this document, no JLT entity accepts any responsibility for any error, or omission or deficiency. If you intend to take any action or make any decision on the basis of the content of this document, you should first seek specific professional advice. The information contained within this article may not be reproduced and nothing herein shall be construed as conferring to you by implication or otherwise any licence or right to use any JLT intellectual property.